Buy or Renew
Buy or Renew
Cisco Virtual Engineer generative AI bot now active in Wireless Discussion Forum. Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
705
Views
5
Helpful
1
Replies

Policy does not Pushed To AP

sergey.dibrov
Level 1
Level 1

‎10-16-2021 07:43 AM

iseHello Team.

We have C9800 with Wave 2 AP in flex mode.

We are trying to implement SGACL enforsment for local switched traffic. 

 

I see SXP connection with ISE. But SGACL enforsment doest work.  

But in C9800 GUI in AP page, trustsec tab i see that  (screenshot  attached )  Policy does not Pushed To AP. 

I see SGACL has been  downloaded to WLC:

wlc-test#show cts rbacl 
CTS RBACL Policy
================
RBACL IP Version Supported: IPv4 & IPv6
  name   = Permit IP-00
  IP protocol version = IPV4, IPV6
  refcnt = 2
  flag   = 0xC1000000
  stale  = FALSE
  RBACL ACEs:
    permit ip

  name   = BLOCK-01
  IP protocol version = IPV4
  refcnt = 3
  flag   = 0x40000000
  stale  = FALSE
  RBACL ACEs:
    deny ip any any

I see SGT tags has been  downloaded to WLC:

wlc-test#show cts role-based sgt-map all
Active IPv4-SGT Bindings Information

IP Address              SGT     Source
============================================
10.64.110.2             2       INTERNAL
10.64.128.6             11      SXP
10.64.128.194           2       INTERNAL
10.86.224.16            17      LOCAL

 

I have configured CTS policy in flex profile. 

 

Form WLC:

wlc-test#show wireless cts

Local Mode CTS Configuration

Policy Profile Name SGACL Enforcement Inline-Tagging Default-Sgt
----------------------------------------------------------------------------------------
SM-CORP DISABLED DISABLED 0
SM-IPSK ENABLED DISABLED 0
SM-OPEN DISABLED DISABLED 0
SM-GUEST ENABLED ENABLED 0
SM-OPEN2 DISABLED DISABLED 0
default-policy-profile DISABLED DISABLED 0


Flex Mode CTS Configuration

Flex Profile Name SGACL Enforcement Inline-Tagging
-----------------------------------------------------------------------
TEST ENABLED DISABLED
default-flex-profile DISABLED DISABLED

I need to block traffic from SGT 17 to SGT 6 by applying SGACL on AP.

 

 

 

 

 

Preview file
19 KB
0 Helpful
1 Reply 1

marce1000
VIP
VIP

‎10-16-2021 09:05 AM

                       Check if any of the mentioned restrictions could affect your case 

 - Ref : https://www.cisco.com/c/en/us/td/docs/wireless/controller/9800/17-1/config-guide/b_wl_17_11_cg/cisco-trustsec.html#id_85935

    >...

                            Guidelines and Restrictions

  • SGACL enforcement is carried out on the controller for local mode.

  • SGACL enforcement is carried out on an AP for flex-mode APs performing local switching.

  • SGACL enforcement for wireless clients is carried out either on the upstream switch or on the border gateway in a Branch-to-DC scenario.

  • SGACL enforcement is not supported for non-IP or IP broadcast or multicast traffic.

  • Per-WLAN SGT assignment is not supported.

  • SGACL enforcement is not carried out for control-plane traffic between an AP and the wireless controller (for upstream or from upstream traffic).

  • Non-static SGACL configurations are supported only for dynamic SGACL policies received from ISE.

  • Static SGACL configuration on an AP is not supported.

 M.



-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
    When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card